Inside | Real news, curated by real humans
Inside Security

Inside Security (Feb 6th, 2018)

David’s Take

As many readers of this newsletter know, we produce a special premium-only edition every Thursday for subscribers. This week Incapsula is picking up the tab so that all of you can read it; watch your inboxes then for this edition.

In our top story, we dive deeper into the Strava/Fitbit data leaking controversy, citing a few different researchers who have been working for several years and warning about the consequences of wearables that aren’t very secure.

New research has found that all WordPress websites suffer from a major flaw that could subject them to DoS attacks. The vendor denies this is a bug. I tried to reproduce on my own WP server but wasn’t successful, but I wasn’t too diligent. The HackerNews staff was able to verify it is authentic. The researcher has posted a fix on GitHub.  

--David Strom, editor of Inside Security

  • Email gray
  • Permalink gray

Top Story: Fitbit leaking continues

Stories at the end of January claimed that mobile app Strava produced fitness heatmaps that revealed the location of users who lived on military bases. Now Henrik Lied, a Norwegian journalist, has fooled Strava into showing the names of some of the soldiers and other personnel on those bases. By exploiting a Strava feature known as “Flyby,” he could find other Strava users who are training nearby. It took some effort to generate digital geolocation routes and some Python scripting magic, but he was able to find 18 people from various locations around the world.

Lied isn’t the only one working with this data. It is an active area for security research, as John Scott-Railton examines in what he calls PAPI: Presence, Activity, Profile, and Identification. He and Citizen Lab have done lots of work in this area and published a comparative analysis of various fitness trackers several years ago. They found that almost every device published its Bluetooth MAC address, and many apps sent geolocation data even when the user wasn’t working out, often without any encryption. – CITIZEN LAB

  • Email gray
  • Permalink gray

Funding events of the week

DFLabs, which sells security automation and orchestration tools, announced it has increased its total funding to $9M from existing investor Evolution Equity Partners.  Based in Boston and Milan, its CEO is Dario Forte.

Owl has closed an $18M A funding round, with Defy as the lead investor. The Palo Alto-based company makes broadband security webcams for cars and has Andy Hodge as its CEO.

New Knowledge closed a $1.9M seed funding round, with Moonshots Capital as their lead. The Austin-based vendor of AI anti-disinformation analysis has Jonathon Morgan as its CEO.

BigID closed a $14M A round with ClearSky Security as the lead. The NYC-based vendor of ID/big data analysis has Dimitri Sirota as its CEO.

BehaviorSec closed a $17.5M B funding round with Trident Capital as their lead. It's based in Stockholm and has passive behavioral biometrics tools. Its CEO is Neil Costigan.

  • Email gray
  • Permalink gray

Attacks and vulnerabilities

Here is a clever phishing campaign designed around this week's Korean Olympics. An email that seems to be from the Korean National Counter-Terrorism Center contained a malicious Word document attachment. This blog post analyzes how it does its dirty work, including hidden VB and PowerShell scripts.  – SECURING TOMORROW (McAfee)

  • Email gray
  • Permalink gray

The Grammarly chrome extension is used by about 22M people to check their spelling and grammar when using web forms. A researcher found that it exposes authentication tokens, thereby enabling anyone to gain access to documents, history, logs, and all other user data. Grammarly issued an automatic update yesterday to fix the issue. – CHROMIUM BLOG

  • Email gray
  • Permalink gray

A new botnet has been targeting IoT devices, using tactics borrowed from existing malware to perform remote code execution through three individual SOAP posts. Unlike other IoT botnets, this one uses remote servers to scan the endpoints and perform the actual exploits. – RADWARE BLOG

  • Email gray
  • Permalink gray

A researcher at Fidelis Cybersecurity devised a new technique that abuses X.509 digital certificates to establish a covert data exchange channel. Jason Reaves demonstrated the exploit at a BSides conference last summer, now he has published the details and a proof-of-concept code, which uses little-known descriptor fields for the data exchange. To prevent this exploit, he suggests blocking self-signed certificates such the ones used in the PoC and check for executables in certificates.  – SECURITY AFFAIRS

  • Email gray
  • Permalink gray

Report 

As phishing has evolved and moved increasingly towards mobile, phishers have also looked beyond email to distribute phishing links. Here is how a phishing landing page can be used to bypass 2FA. -- WANDERA

  • Email gray
  • Permalink gray

Just for fun

Act now, and you can buy into the latest cryptocurrency called "PonziCoin." And yes, it does have Equifax-grade security, at least according to the FAQ. -- PONZICOIN

  • Email gray
  • Permalink gray

Subscribe to Inside Security

MORE NEWSLETTERS

A concise presentation of the world's most important, interesting news

Inside Daily Brief

A concise presentation of the world's most important, interesting news

DAILY
A concise presentation of the world's most important, interesting news

Inside Daily Brief

DAILY

SUBSCRIBED!

Share via

Electric vehicles, self-driving automobiles, smart cars and the world of 21st century transportation

Inside Automotive

Electric vehicles, self-driving automobiles, smart cars and the world of 21st century transportation

TWICE WEEKLY
Electric vehicles, self-driving automobiles, smart cars and the world of 21st century transportation

Inside Automotive

TWICE WEEKLY

SUBSCRIBED!

Share via

The best source of in-depth news and analysis about Amazon

Inside Amazon

The best source of in-depth news and analysis about Amazon

TWICE WEEKLY
The best source of in-depth news and analysis about Amazon

Inside Amazon

TWICE WEEKLY

SUBSCRIBED!

Share via

A hand-picked selection of products, deals, and ways to save money.

Inside Deals

A hand-picked selection of products, deals, and ways to save money.

TWICE WEEKLY
A hand-picked selection of products, deals, and ways to save money.

Inside Deals

TWICE WEEKLY

SUBSCRIBED!

Share via